I have suricata running fine and working, and have disabled a lot of rules that were “not-suspicious” or “misc-activity”, or just low severity.
However i would like to have some rule that alerts when suricata sees older browsers on the network. Most requests are over https, sure, but i bet a bunch are over plain port 80 where the user-agent will be visible.
But how do i find these rules? I am guessing that they might be there, but just disabled.
I have tried grepping suricata.rules for a few keywords like “browser”, “80” and so on, but didnt find any.
Is there such a rule somewhere? 